Audit
Jump to navigation
Jump to search
How to audit fedora/redhat system
Tested on fedora 11 x86_64
### /etc/pam.d/sshd ### #%PAM-1.0 auth required pam_sepermit.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params # Keyboard logging. session include pam_tty_audit session optional pam_keyinit.so force revoke session include system-auth ### /etc/pam.d/su ### #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth # Keyboard logging. session include pam_tty_audit session optional pam_xauth.so ### /etc/pam.d/sudo ### #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/sudo-i ### #%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so # Keyboard logging. session include pam_tty_audit ### /etc/pam.d/pam_tty_audit ### # Enable keyboard logging. session required pam_tty_audit.so disable=* enable=superman,root open_only
Reading logged data
- Data is written after user exits. So tailing /var/log/audit/audit.log will fail.
What has happened on the tty. Translate numbers to names.
aureport -i --tty